Microsoft April 2026 Patch Tuesday: 167 Vulnerabilities Patched, One Exploited in the Wild
Microsoft released its monthly security updates on April 14, 2026, addressing 167 vulnerabilities across its product portfolio. The company reported that one vulnerability has been exploited in the wild and another has been publicly disclosed. Microsoft assessed 19 of the vulnerabilities as more likely to see future exploitation.
Separately from the Patch Tuesday count, Microsoft has provided patches for 80 browser-related vulnerabilities this month, including a batch of 60 patches released in a single day last week, which Microsoft stated was a new record for that category. Microsoft Edge is based on the Chromium engine, and Chromium maintainers acknowledged researchers for the vulnerabilities Microsoft republished last Friday.
Key Vulnerabilities
CVE-2026-32201: SharePoint Spoofing Vulnerability (Exploited in the Wild)
- Type: Spoofing vulnerability
- CWE-20: Improper Input Validation
- Impact: Low impact to confidentiality and integrity, no impact to availability
- Status: Microsoft confirmed exploitation in the wild
- Patches: Available for all supported versions, including SharePoint 2016, which moves beyond extended support on July 14, 2026
CVE-2026-33825: Microsoft Defender Local Privilege Escalation (Publicly Disclosed)
- Type: Local privilege escalation
- Impact: Successful exploitation leads to SYSTEM privileges
- Status: Publicly disclosed; not reported as exploited
- Mitigation: The Microsoft Defender Antimalware Platform updates automatically by default; systems with disabled Microsoft Defender are not in an exploitable state
CVE-2026-33824: Windows IKE Services Remote Code Execution (Critical)
- Type: Unauthenticated remote code execution
- CVSS: Rated as critical
- Exploitation: Requires sending specially crafted packets to a Windows machine with IKE v2 enabled
- Affected Versions: All Windows versions back to Server 2016 and Windows 10 1607 LTSC
- Mitigation: Advisory includes guidance for restricting relevant UDP traffic for systems that cannot be patched immediately
- Credits: The advisory credits both the WARP and MORSE (Microsoft Offensive Research & Security Engineering) teams at Microsoft, marking the first explicit mention of WARP in a Microsoft security advisory acknowledgments section
Product Lifecycle Updates
Extended Support Ended (April 14, 2026)
Extended support ended for the following legacy enterprise tools:
- Dynamics C5 2016
- Dynamics NAV 2016
- App-V 5.0 and 5.1
- UE-V 2.1
- BitLocker Administration and Monitoring 2.5 SP1
.NET 9 Support Extension
Microsoft .NET 9 Standard Term Support (STS) end-of-support was extended by six months from May 2026 to November 10, 2026.